0 Replies Latest reply on Sep 8, 2017 7:14 AM by wrkoch

    Neo-security file changes

    wrkoch Level 1

      I'm trying to adjust the neo-security.xml file on my CF9 instance to trap cross site scripting things like:

      myurl.cfm/?'==alert(22)=='

      myurl.cfm/?'++alert(22)'

       

      I modified the xml like this but it seems I haven't gotten the regular expression right. 

       

        <data>

          <struct type="coldfusion.server.ConfigMap">

            <var name="admin.userid.root">

              <string>admin</string>

            </var>

            <var name="rds.security.enabled">

              <boolean value="true" />

            </var>

            <var name="admin.userid.required">

              <boolean value="false" />

            </var>

            <var name="contexts">

              <struct type="coldfusion.server.ConfigMap">

                <var name="/">

                  <struct type="coldfusion.server.ConfigMap"></struct>

                </var>

              </struct>

            </var>

            <var name="CrossSiteScriptPatterns">

              <struct type="coldfusion.server.ConfigMap">

                <var name="\s*(object|embed|script|applet|meta|iframe))\b">

                  <string>&lt;InvalidTag</string>

                </var>

                <var name="\\3F\\27*(\=|\+)*">

                  <string>Inject</string>

                </var>

              </struct>

            </var>

            <var name="sbs.security.enabled">

              <boolean value="false" />

            </var>

            <var name="admin.security.enabled">

              <boolean value="true" />

            </var>

          </struct>

        </data>

       

      CF throws an error.

       

      "Error","scheduler-1","09/06/17","09:35:59",,"Unable to initialize Security service: coldfusion.server.ServiceException:

      [C:\Jrun4\servers\d-itar10-9800\cfusion.ear\cfusion.war\WEB-INF\cfusion\lib\neo-security. xml]coldfusion.wddx.WddxDeserializationException:

         WDDX packet parse error at line 1, column 1. Content is not allowed in prolog.."

       

      Any ideas on the correct format?